Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
08-06-2024 22:24
General
-
Target
Funny.exe
-
Size
38KB
-
MD5
90fc7afe1b516a9fa685089ae0f5f322
-
SHA1
94ee6cb901f16a3136607c0e194c1e76b5ac76d8
-
SHA256
a53ea993bd31a24b3620978a84164bba38f592eb01f4d4cfe9bc4ae1af99c4a4
-
SHA512
e3f5d77e6da170460d9bfa3273608397f3fb0bc98eb34ed1729c357681d449a443e54abf75259efceca98c1527e0ed6201154556a1e889b11901a1b53fb5f2c9
-
SSDEEP
768:lPDWCCqClY9UiX/anrEvr0GXFyc9BjQ6OO/hdDQnl+:lPDWPleUganrezF39xQ6OO/Wl+
Malware Config
Extracted
xworm
5.0
by-mit.gl.at.ply.gg:3500
MsPnnj1aWUGMygHH
-
Install_directory
%ProgramData%
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Funny.exe"C:\Users\Admin\AppData\Local\Temp\Funny.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Funny.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Funny.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\program'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'program'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "program" /tr "C:\ProgramData\program"2⤵
- Creates scheduled task(s)
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "program"2⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB73.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {91487873-838F-4A15-9332-D037AD3887BF} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\programC:\ProgramData\program2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\programC:\ProgramData\program2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\programFilesize
38KB
MD590fc7afe1b516a9fa685089ae0f5f322
SHA194ee6cb901f16a3136607c0e194c1e76b5ac76d8
SHA256a53ea993bd31a24b3620978a84164bba38f592eb01f4d4cfe9bc4ae1af99c4a4
SHA512e3f5d77e6da170460d9bfa3273608397f3fb0bc98eb34ed1729c357681d449a443e54abf75259efceca98c1527e0ed6201154556a1e889b11901a1b53fb5f2c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5503288783facb2b3e26b9a41bca88fb9
SHA1d14ad2461c1007039612656ebef47761130b06a7
SHA2561b806ec779147b13351744ffff75936a6a57cedaac09cf22a4262e4d0e76b0cb
SHA512fb6942e639be460a4e1d3acdcaf1b926a03cc317318b3dba885c465edd57df39af4494592995dad1919d0670b127cea9e42f862aad9a4f93731bb136be7b3195
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5cedb1a88fc705b4ff3c66be520d37de8
SHA1e1d2f0a94fbf7aa01251400c3c700a1970505005
SHA2568944c17db947637c5183cdaeae368f16eea2c464d39541d016f240192dacffe4
SHA512525b328d98b785778bd279a679196f7e638cee9980f3a1692eb5821c67737c209ee7f9145a264dc4c36094c52597ecd13583b74542c3e2a87b83cbb72cd43725
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD579b6d4d6179e92344038bc5a2a55acdf
SHA121e2fbf917dc3c7bab91e1041a3d18473f48e84e
SHA25699be2c6d6f8acedead9cc7156ab7896b0e28415d36d5e7d89364a8580a27e933
SHA5123a0e08ecde8404f2dc72c53477e2b8fcef5856636a4c59db416e7b06f703a2390f64615c2aac95f92eb6e4dfca8cf36b1c169cd32628b1ce1df6806297cfc0ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5661310851646719a4b849ef6ae1bb6a2
SHA1f7aa3d2072e0017bb7e8390e07f90b91b00b7605
SHA25684a87c218128bd41faecf4d29bc819659084b6de52550cbc33df0af139866006
SHA512f935c824621599311e265860f462c42f3a700f0edf244c545fad6ec72b401b16d0f0909da148f5d40960f4283615e2b9661ff61804fa4a8be6d00e4ffe2d8d01
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57885e6321ea08500c8477f9355fb28cf
SHA199112cf2834e98b839da5fee5f204c9aa1cfd10e
SHA256f8da37e2585f5287bcae0b6b79fa9aa64e0d58149b2ef2da3936db0bf32b55cf
SHA5121263ba0ca6893ed962113cdb16ec96a35c01b513e2d0902528291e34a89ab2aa0aa7ec69df0a89e7d596ad63f6b5b07af1f0704985fca9de0778359833e00d7f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5dc456b6aefb00b771efb9905a3245025
SHA1b44c5de8bf539672dd8e11db0fbf91c7494686bf
SHA256fc26a71be122eac5ade58709bb01804b7d0c89d550ea13c6ea82138a6ddef02b
SHA512385bbe7ffdbb165f2db12f3e636e7dfe6159491620262e99a95bb7cfc8894c9b394ccb8ea8d9098a139d57ac102a7c7442bb07f1b73a3a9270647e70cdcf2ed7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD564b7c98a304523e510814ca0e6a822c2
SHA18f6e2420bd04500dcd197832c28cf2c61b96877f
SHA256d71d246c099893dbae89bb67fde11f75ffdfa82864badadef43f5aef99e06fd2
SHA512675d814ffd1eb62f365d32ebd08f004a557d4711b08ef15820ad0aed17150b3470b51adcccebdfe77e4345b61417d362a66a116b504e408cbb48c5c525f62b13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD52d177cbf932c2062097aae4a6646c1a9
SHA16c2f83c5d87946682e72d71bd234dc50607ca150
SHA2564d4f2d1d547b09c98ff9fd6bc3d8c40c0221778ac922e7381f48ec2033257af1
SHA512f9c000de520865b16f927a29a089e59f1f394f933daa22277c410a40e2d8cbf6f671ec7c904bdf27756966d620400720490b64440919fafe9cb673fab01c9125
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58057b4b63359220531531c070b0b8d8c
SHA13c7e4999fbc59607a3bd6e8f18b1f4913b82a9db
SHA256f17e6fa88956d7b711a87aa64c2e812f07b6d3149b8fa7ab190881aa708057de
SHA512d05cd516a684625c0b67a2b43667712a960b7fd80e93db0c014354bbde920838512d0fb56a3ef5ac048e3d11f61049209284bef04299edfd74f8fc7c7166e558
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD580207e24c67ebd99cbfb2b93d9a323ea
SHA1f7f4f7487d1912907815c2865ce09872e7818318
SHA2564ca18f94e8dc45a8b8930e88a68af59437567e1a2169ba7dbb40ac806f2d2a53
SHA512dc47f6fe8dbd74669bca5cb24731a3afc98ca644c8e784cc58b877b21e34a480272b3811dc3e7dc6654fbe595a72df6ad989a218bb4a5995ba092c88f97964fe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5be42c9492f463f573f5d73564871aa60
SHA108d70599182c78ac066441105eb31e552b03f7b7
SHA256ca497e5899c45c975c9f3cd1f6d7ab634cf65d53f45e5c39b22d82a39aacf96c
SHA5123520f9b742c9b4f541f6cf83cf04566283a999d2d192a7439a1d56ead5167f84099650a4fd4c428db0c5500a1ca82a821efb561b6a3ec643c3741c059691998c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5c32ea218a7aca7c8c3904554e730f601
SHA1ad17056bddfc1aeb91b905edc992499d2668b243
SHA256d6c325c36db46c43ca1e152426105c84906c04e222df39161c3a33b450601cf6
SHA512e81e1e959a06f28835d5609c0fc5db297d2b231b082febd70ae02ca81571e1297bac4e1b9cdb1327986808940312c05e08e16682a2e628c49f2da5c6d775e7fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD54d2b44410a179bf87974334bcb6c9705
SHA1d4c3584289fb12e5c0848d99040db9a16dd1bad3
SHA256a7461bcb3e84da10000afbd64584e8f3f2ce7dc8b13c5df25b687a1ac9cf28f0
SHA5128f98b2e53d23b941ed90eda8763c3cb2a79012a2f1bfb8c9f9ae267985a436b3dff4ca9c15154a711cedc9dfc3e1cf3b568edcb1536fd10f9625c580ae9c2f00
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5630ce8098c12bc97bc78cd1fc0ac1741
SHA1d08ba7dc837eba175ba39b058c1825417a09e0df
SHA256a566dfc6a52ee0c979d1d3cac7bf3094a23dc7e011b69aacd240262d9eb7a367
SHA512e16a4b8d77cc067d3b1e00bce80e0c01d5aed38d9ec9beed3a75cd44211e5aaa5245f6676006dd7ee4e53851471b2b4dad855bc1dc7b2f305424abe031bcb2c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5048cbaa33b8e9a0659ee99bd3579913d
SHA1c44669ae4546c92304641ae3b16a073832d3feaf
SHA2562ddaf19b91dfbec886be16016837fff01d2d3c32f9bfcd1f6e499dcb37e4644a
SHA5120fcbc80cb6b0de150f42f72373f5a057c753dbb254b522a29a27fce618d5d784bd7b6367da490c86b6076124259e54b7576118087ba48404e9e874d64d7d809e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5dcb6d1689a0bdc89a1ea2fa45d242a34
SHA1ffa0a3b2ffdcf1ed0bebd66781c2ccb06bcf81d3
SHA2569bb14670d8009b4236e5afbb3007b84463057de6a2dd986e8354009f07225ccb
SHA512f85c0a4dceeffa24f8928d06869ef98df4827700a8fe7561f6b69ff1657c9fce50994fdb55ae3f20a749d21989592547e5b9b86637edc41f4968f3ba61b27a5f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD58c033301bce3cdbdc60f20bdaf450eae
SHA1ef717f6c1c25d6387ccb8d35db0f748a00dd6339
SHA256f0e2b25c772a43a8ef51fc2b653bc794ac79ac7825f8707390aec5a573092b23
SHA512daca1d04f8a40f16b48070cd25bac429740036b0ffa5eb2306006e0a1faf36c5ed72850d07b5c2093c70ba528f78bd8b0de84dfe7218e3d4b447a5cfc0133285
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5fa6fc7afce4d423c85c12eec0a63c519
SHA1450a81c494fb22c88b65c4b19fb337e1b0590f92
SHA256cfec3e18ca9760282aa2142835183913740a39aeb6f78e8ff323c87db5a6a1b2
SHA5123b1b2b6929aecdcdece86e3d981b4ba046da6d279654c2cb94b090da115a0b5b580d95aab4fa67d95530460cf8e08879085e64f2fae9632371b66e8448c6776c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5e9891a2a54df2f4fc6f73bf6b12838e1
SHA116b021790e131096209db9ca054667a981b60bf2
SHA256c8217ac6d364d568bef0a6c95d8d3afae8a9c82bcf4819449ad57af4e955dcb2
SHA512a5df62c05b95ec82069afe3c129afa725b4159c8e81fa1d77bcf58bf346380286b31bfed40fc13ef79bbe876af8e792cd7554166e1d20113423b6dbc691b29cf
-
C:\Users\Admin\AppData\Local\Temp\CabD1B4.tmpFilesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\Local\Temp\TarD295.tmpFilesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
C:\Users\Admin\AppData\Local\Temp\tmpBB73.tmp.batFilesize
157B
MD5f1e45f45850cb3f942b7fd089bed66a1
SHA1109d96998edd41f76a8ab41570df3aebebbf404b
SHA256060da637d008983be0c8c30d86166500d982113ab1d6dab1721d4778b0ff19f4
SHA51260f8bf18f425df60935e68280b6f8a5eb8ad63f8931061c92feeb5581ad07a88d70a3358643b3dedb6964d2012d67235fc7649ad15df78888e0404d847d14916
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD58139bc749f7094ce72689b76944c3bb5
SHA193790fd62523c37d7a01faa26de2877337d51c88
SHA256d4d3239c90f49c53a281c3075fd34fcc322645f50a8a54139a6b03d562e443a4
SHA5123b3cd037083139c5af83c561bc966b5f3daeeac5db390a50df5d5e7384437e42737f49f5784c4d5f01e6cef2b77079f1918843a0bb4d70049cd1df059363def0
-
C:\Users\Admin\Desktop\How To Decrypt My Files.htmlFilesize
625B
MD5022d4d61eddfa7c9a37e5a3d509bfee0
SHA1d7d266e2f96388dbee969466c43b5f9d71628473
SHA256c5d776934714336409fd9d857c76193baae9552aed2c9fef4b25e361e93f06bb
SHA512a0dcc92389bc64e0b57743ee2034f31d2585cc92b82a4d47d5e1cce140fc4be787109d219d945bcb94cbce86335a05b13bd8caae8fc9dc4e453eca6bc7428f32
-
C:\Users\Admin\NTUSER.DAT{016888bd-6c6f-11de-8d1d-001e0bcde3ec}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD5fe3907979d7da74e215004b312a2bcd6
SHA1f18f1240bbaf4c03f68a5bc9984f3cff65a860af
SHA256425e14c205234c2193ae9836f2f188c380d3a6ac3a092f58a6ecdc59324dd249
SHA5126681d089c2d9ac5367445b0e20c38e1009b1763a5676b4027e13aa48f3f7e22081a4b7519377e964e1275b2c717d9a51e97cfc79cc29273003413b7082c99a21
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/976-686-0x0000000000F00000-0x0000000000F10000-memory.dmpFilesize
64KB
-
memory/1916-34-0x0000000000D00000-0x0000000000D10000-memory.dmpFilesize
64KB
-
memory/2240-37-0x000000001A740000-0x000000001A74C000-memory.dmpFilesize
48KB
-
memory/2240-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2240-35-0x000007FEF5253000-0x000007FEF5254000-memory.dmpFilesize
4KB
-
memory/2240-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmpFilesize
4KB
-
memory/2240-835-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2240-36-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmpFilesize
9.9MB
-
memory/2240-1-0x0000000000F40000-0x0000000000F50000-memory.dmpFilesize
64KB
-
memory/2516-16-0x0000000002710000-0x0000000002718000-memory.dmpFilesize
32KB
-
memory/2516-15-0x000000001B4B0000-0x000000001B792000-memory.dmpFilesize
2.9MB
-
memory/2628-7-0x00000000027F0000-0x0000000002870000-memory.dmpFilesize
512KB
-
memory/2628-9-0x0000000002990000-0x0000000002998000-memory.dmpFilesize
32KB
-
memory/2628-8-0x000000001B4F0000-0x000000001B7D2000-memory.dmpFilesize
2.9MB